Austin Chapter

 View Only

Metaframework in the SCF - Secure Controls Framework by Compliance Forge

  • 1.  Metaframework in the SCF - Secure Controls Framework by Compliance Forge

    Posted Oct 27, 2022 04:09:00 PM
    If CSA community practitioners haven't encountered this one before, and looking for one, this one is a solid guidance framework that I've been using to help guide my cloud customers on internal controls, called the SCF (Secure Controls Framework).  It is called a metaframework since it is a framework of frameworks and covers many domains including risk management.

    Key summary points:
    • Openly licensed under Creative Commons (no subscription for updates required), but cannot be reused and repackaged as part of a product for revenue
    • Positioned and used primarily for internal controls
    • Is Excel friendly and can be imported into a SaaS toolset
    • Has documentation that can be scanned and reused for an by end-users
    • Has 32 domains covered with over 1K controls covered
    • Covers a multi-vendor landscape (Ostendio, Logicgate, Ignyte, etc.)
    • There isn't an SCF certification available but a CAP (Conformity Assessment Program) is in progress (launch date: TBD)
    • The SCF Metaframework is easier to adopt and more holistic, less proprietary than others
    • People, Processes and Technology under the C4P (Cybersecurity 4 Privacy by Design) can be presented to executives simply without the need of having a lot of deep-rabbit hole discussions, with a focus on metrics
    As always, hit me up if you have any practitioner questions and I'll try to get back to you in a day or so.


    Kristian Gonzalez
    Security Team
    IoT Home Lab